xorddos | fa0a5c652d3a69d21ce4a5eb65f95537d880fd41190d73eaffc38aa070047108

Analysis

max time kernel
128s
max time network
69s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20231215-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20231215-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
20-12-2023 01:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

79a7792955c2e7137c68bec4803ce65b
Size

611KB
MD5

79a7792955c2e7137c68bec4803ce65b
SHA1

43763f2832b4329f2c3f8aca4fba6aa3522351f8
SHA256

fa0a5c652d3a69d21ce4a5eb65f95537d880fd41190d73eaffc38aa070047108
SHA512

360fc13ede6a35ae5fd489a48a760d99fc3c027000cf42da3c6f6a6cb9d0834692395547275751fe568cf0290de45a6d1c7d12c04a36297d17ce237da9aad3e3
SSDEEP

12288:FBXOvdwV1/n/dQFhWlH/c1dHo4h9L+zNZrrBT6yF8EEP4UlUuTh1AG:FBXmkN/+Fhu/Qo4h9L+zNNBBVEBl/91h

Score

10^/10

xorddos antivm botnet downloader persistence

Malware Config

Extracted

Family

xorddos

http://aa.finance1num.org/config.rar

cdn.netflix2cdn.com:8000

cdn.finance1num.com:8000

Attributes

crc_polynomial
EDB88320

xor.plain

Signatures

XorDDoS
Botnet and downloader malware targeting Linux-based operating systems and IoT devices.
botnet downloader xorddos

XorDDoS payload 11 IoCs

Processes:

resource	yara_rule
/lib/libudev.so	family_xorddos
/usr/bin/eisbkphyeb	family_xorddos
/usr/bin/eisbkphyeb	family_xorddos
/usr/bin/maymydqdti	family_xorddos
/usr/bin/maymydqdti	family_xorddos
/usr/bin/xviijsgpjr	family_xorddos
/usr/bin/xviijsgpjr	family_xorddos
/usr/bin/iecumbiyru	family_xorddos
/usr/bin/iecumbiyru	family_xorddos
/usr/bin/bvpzefqicj	family_xorddos
/usr/bin/bvpzefqicj	family_xorddos

Deletes itself 3 IoCs

Processes:

pid

1684
1681
1679

pid
1684
1681
1679

Executes dropped EXE 23 IoCs

Processes:

eisbkphyebeisbkphyebeisbkphyebeisbkphyebeisbkphyebmaymydqdtimaymydqdtimaymydqdtimaymydqdtimaymydqdtixviijsgpjrxviijsgpjrxviijsgpjrxviijsgpjrxviijsgpjriecumbiyruiecumbiyruiecumbiyruiecumbiyruiecumbiyrubvpzefqicjbvpzefqicjbvpzefqicj

ioc	pid	process
/usr/bin/eisbkphyeb	1592	eisbkphyeb
/usr/bin/eisbkphyeb	1618	eisbkphyeb
/usr/bin/eisbkphyeb	1621	eisbkphyeb
/usr/bin/eisbkphyeb	1625	eisbkphyeb
/usr/bin/eisbkphyeb	1627	eisbkphyeb
/usr/bin/maymydqdti	1631	maymydqdti
/usr/bin/maymydqdti	1634	maymydqdti
/usr/bin/maymydqdti	1637	maymydqdti
/usr/bin/maymydqdti	1640	maymydqdti
/usr/bin/maymydqdti	1643	maymydqdti
/usr/bin/xviijsgpjr	1646	xviijsgpjr
/usr/bin/xviijsgpjr	1649	xviijsgpjr
/usr/bin/xviijsgpjr	1651	xviijsgpjr
/usr/bin/xviijsgpjr	1655	xviijsgpjr
/usr/bin/xviijsgpjr	1657	xviijsgpjr
/usr/bin/iecumbiyru	1661	iecumbiyru
/usr/bin/iecumbiyru	1663	iecumbiyru
/usr/bin/iecumbiyru	1667	iecumbiyru
/usr/bin/iecumbiyru	1670	iecumbiyru
/usr/bin/iecumbiyru	1672	iecumbiyru
/usr/bin/bvpzefqicj	1676	bvpzefqicj
/usr/bin/bvpzefqicj	1678	bvpzefqicj
/usr/bin/bvpzefqicj	1682	bvpzefqicj

Checks CPU configuration 1 TTPs 1 IoCs
Checks CPU information which indicate if the system is a virtual machine.
antivm

Virtualization/Sandbox Evasion
T1497

Processes:

description ioc

File opened for reading /proc/cpuinfo
Creates/modifies Cron job 1 TTPs 2 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
persistence

Scheduled Task/Job
T1053

Processes:

sh

description ioc process

File opened for modification /etc/crontab sh
File opened for modification /etc/cron.hourly/gcc.sh
Modifies init.d 1 TTPs 1 IoCs
Adds/modifies system service, likely for persistence.
persistence

Boot or Logon Autostart Execution
T1547

Processes:

description ioc

File opened for modification /etc/init.d/79a7792955c2e7137c68bec4803ce65b

description	ioc
File opened for reading	/proc/cpuinfo

description	ioc	process
File opened for modification	/etc/crontab	sh
File opened for modification	/etc/cron.hourly/gcc.sh

description	ioc
File opened for modification	/etc/init.d/79a7792955c2e7137c68bec4803ce65b

Write file to user bin folder 1 TTPs 5 IoCs

Hijack Execution Flow

T1574

Processes:

description	ioc
File opened for modification	/usr/bin/eisbkphyeb
File opened for modification	/usr/bin/maymydqdti
File opened for modification	/usr/bin/xviijsgpjr
File opened for modification	/usr/bin/iecumbiyru
File opened for modification	/usr/bin/bvpzefqicj

Reads runtime system information 10 IoCs

Reads data from /proc virtual filesystem.

Processes:

systemctlsed

description	ioc	process
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/sys/kernel/osrelease	systemctl
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/meminfo
File opened for reading	/proc/rs_dev
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/stat
File opened for reading	/proc/1/sched	systemctl
File opened for reading	/proc/cmdline	systemctl

/tmp/79a7792955c2e7137c68bec4803ce65b
/tmp/79a7792955c2e7137c68bec4803ce65b
1⤵
PID:1579

/bin/sh
sh -c "sed -i '/\\/etc\\/cron.hourly\\/gcc.sh/d' /etc/crontab && echo '*/3 * * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab"
1⤵
- Creates/modifies Cron job
PID:1585
- /bin/sed
  sed -i "/\\/etc\\/cron.hourly\\/gcc.sh/d" /etc/crontab
  2⤵
  - Reads runtime system information
  PID:1586

/bin/chkconfig
chkconfig --add 79a7792955c2e7137c68bec4803ce65b
1⤵
PID:1582

/sbin/chkconfig
chkconfig --add 79a7792955c2e7137c68bec4803ce65b
1⤵
PID:1582

/usr/bin/chkconfig
chkconfig --add 79a7792955c2e7137c68bec4803ce65b
1⤵
PID:1582

/usr/sbin/chkconfig
chkconfig --add 79a7792955c2e7137c68bec4803ce65b
1⤵
PID:1582

/usr/local/bin/chkconfig
chkconfig --add 79a7792955c2e7137c68bec4803ce65b
1⤵
PID:1582

/usr/local/sbin/chkconfig
chkconfig --add 79a7792955c2e7137c68bec4803ce65b
1⤵
PID:1582

/usr/X11R6/bin/chkconfig
chkconfig --add 79a7792955c2e7137c68bec4803ce65b
1⤵
PID:1582

/bin/update-rc.d
update-rc.d 79a7792955c2e7137c68bec4803ce65b defaults
1⤵
PID:1584

/sbin/update-rc.d
update-rc.d 79a7792955c2e7137c68bec4803ce65b defaults
1⤵
PID:1584

/usr/bin/update-rc.d
update-rc.d 79a7792955c2e7137c68bec4803ce65b defaults
1⤵
PID:1584

/usr/sbin/update-rc.d
update-rc.d 79a7792955c2e7137c68bec4803ce65b defaults
1⤵
PID:1584
- /bin/systemctl
  systemctl daemon-reload
  2⤵
  - Reads runtime system information
  PID:1590

/usr/bin/eisbkphyeb
/usr/bin/eisbkphyeb "cat resolv.conf" 1580
1⤵
- Executes dropped EXE
PID:1592

/usr/bin/eisbkphyeb
/usr/bin/eisbkphyeb top 1580
1⤵
- Executes dropped EXE
PID:1618

/usr/bin/eisbkphyeb
/usr/bin/eisbkphyeb uptime 1580
1⤵
- Executes dropped EXE
PID:1621

/usr/bin/eisbkphyeb
/usr/bin/eisbkphyeb who 1580
1⤵
- Executes dropped EXE
PID:1625

/usr/bin/eisbkphyeb
/usr/bin/eisbkphyeb "grep \"A\"" 1580
1⤵
- Executes dropped EXE
PID:1627

/usr/bin/maymydqdti
/usr/bin/maymydqdti "ls -la" 1580
1⤵
- Executes dropped EXE
PID:1631

/usr/bin/maymydqdti
/usr/bin/maymydqdti gnome-terminal 1580
1⤵
- Executes dropped EXE
PID:1634

/usr/bin/maymydqdti
/usr/bin/maymydqdti sh 1580
1⤵
- Executes dropped EXE
PID:1637

/usr/bin/maymydqdti
/usr/bin/maymydqdti top 1580
1⤵
- Executes dropped EXE
PID:1640

/usr/bin/maymydqdti
/usr/bin/maymydqdti "netstat -antop" 1580
1⤵
- Executes dropped EXE
PID:1643

/usr/bin/xviijsgpjr
/usr/bin/xviijsgpjr "grep \"A\"" 1580
1⤵
- Executes dropped EXE
PID:1646

/usr/bin/xviijsgpjr
/usr/bin/xviijsgpjr gnome-terminal 1580
1⤵
- Executes dropped EXE
PID:1649

/usr/bin/xviijsgpjr
/usr/bin/xviijsgpjr "sleep 1" 1580
1⤵
- Executes dropped EXE
PID:1651

/usr/bin/xviijsgpjr
/usr/bin/xviijsgpjr "ps -ef" 1580
1⤵
- Executes dropped EXE
PID:1655

/usr/bin/xviijsgpjr
/usr/bin/xviijsgpjr "cd /etc" 1580
1⤵
- Executes dropped EXE
PID:1657

/usr/bin/iecumbiyru
/usr/bin/iecumbiyru "sleep 1" 1580
1⤵
- Executes dropped EXE
PID:1661

/usr/bin/iecumbiyru
/usr/bin/iecumbiyru uptime 1580
1⤵
- Executes dropped EXE
PID:1663

/usr/bin/iecumbiyru
/usr/bin/iecumbiyru "ifconfig eth0" 1580
1⤵
- Executes dropped EXE
PID:1667

/usr/bin/iecumbiyru
/usr/bin/iecumbiyru pwd 1580
1⤵
- Executes dropped EXE
PID:1670

/usr/bin/iecumbiyru
/usr/bin/iecumbiyru top 1580
1⤵
- Executes dropped EXE
PID:1672

/usr/bin/bvpzefqicj
/usr/bin/bvpzefqicj su 1580
1⤵
- Executes dropped EXE
PID:1676

/usr/bin/bvpzefqicj
/usr/bin/bvpzefqicj who 1580
1⤵
- Executes dropped EXE
PID:1678

/usr/bin/bvpzefqicj
/usr/bin/bvpzefqicj "cd /etc" 1580
1⤵
- Executes dropped EXE
PID:1682

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Scheduled Task/Job

T1053

Defense Evasion

Hijack Execution Flow

T1574

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/cron.hourly/gcc.sh

Filesize
228B

MD5
3bab747cedc5f0ebe86aaa7f982470cd

SHA1
3c7d1c6931c2b3dae39d38346b780ea57c8e6142

SHA256
74d31cac40d98ee64df2a0c29ceb229d12ac5fa699c2ee512fc69360f0cf68c5

SHA512
21e8a6d9ca8531d37def83d8903e5b0fa11ecf33d85d05edab1e0feb4acac65ae2cf5222650fb9f533f459ccc51bb2903276ff6f827b847cc5e6dac7d45a0a42

Download Submit
/etc/init.d/79a7792955c2e7137c68bec4803ce65b

Filesize
425B

MD5
b7089c73dd6006e347aac7750ba2e818

SHA1
0767ff2f767e29f96d0d0d07a46f3b54c4082f56

SHA256
bf0784639ffb9c9a6fdd666d26d992c6ca3d5d7815a231da8d4d81283f844d11

SHA512
689a104df455afb61e1b0587cbbd4c0f3d0ece4d0f44602aa1b283b27eb0a05704755ab67ec8a9b0daeece8a88ca03a27b5231cbd8094ff49dd830110d715da4

Download Submit
/etc/sedQPGQMH

Filesize
722B

MD5
8f111d100ea459f68d333d63a8ef2205

SHA1
077ca9c46a964de67c0f7765745d5c6f9e2065c3

SHA256
0e5c204385b21e15b031c83f37212bf5a4ee77b51762b7b54bd6ad973ebdf354

SHA512
d81767b47fb84aaf435f930356ded574ee9825ec710a2e7c26074860d8a385741d65572740137b6f9686c285a32e2951ca933393b266746988f1737aad059adb

Download Submit
/lib/libudev.so

Filesize
611KB

MD5
79a7792955c2e7137c68bec4803ce65b

SHA1
43763f2832b4329f2c3f8aca4fba6aa3522351f8

SHA256
fa0a5c652d3a69d21ce4a5eb65f95537d880fd41190d73eaffc38aa070047108

SHA512
360fc13ede6a35ae5fd489a48a760d99fc3c027000cf42da3c6f6a6cb9d0834692395547275751fe568cf0290de45a6d1c7d12c04a36297d17ce237da9aad3e3

Download Submit
/run/gcc.pid

Filesize
32B

MD5
cca0eb34a3060bad616630754d0f0d36

SHA1
0bd5a8595deec3971062c0b87c15ecf0f6996c8e

SHA256
38f6f1415ba176c4a0383a1a87830229fa0edcfcffb9797b1450ddf4e46c2297

SHA512
e882a6166a33d4d6ec362ec3748fa753e707e23d36385f65547468b7de454b2d5be6701718b4aa91fce44b54e36385c465fa5fa26aeba247ddd35f36fe031a2b

Download Submit
/usr/bin/bvpzefqicj

Filesize
611KB

MD5
a09a99a8368778cb9f52055f51d7818e

SHA1
ef750220cb7d0e7749efbcfbda72d6939a38d3e9

SHA256
4629e49f9b0716c23466a9c245426d2fc24395428edf1e4f9debb62c7bf97c75

SHA512
52e2f870ebb61c3b6c0c94d6098b070867bcd79e3419e302598512955bf645abac0596d7109886f89e4b62ae6fd7bbfa16083b8a6f21a01f9497b8ca4e12bcce

Download Submit
/usr/bin/bvpzefqicj

Filesize
611KB

MD5
70f0e857e0e6acfa0af38d850cca3059

SHA1
3866852487907522e2588d7eed48c6a237e57e60

SHA256
03d62b2db16c0f609364b185b7cd703586f38f5235ff923f0caa04664ecf2484

SHA512
899c156209801fdb7f3b1580d809eb7f833609cc1ddedc7cf99f261d9f5495fc5b9e624357cb8964540a8635f86113d31a1746529034cf58eccf5fa932391daa

Download Submit
/usr/bin/eisbkphyeb

Filesize
611KB

MD5
9ff9f41879dd2f2befbd68ad9580d59e

SHA1
ef5310259b5d21243d6756b9e617b5a728b47eb5

SHA256
0432b80806338fb5cca9b6e5a36b3b9c99a035e6fc1387aeb2fdcdaea9f49fbc

SHA512
74f81d1842d4a8715a6862879337bb34bf720a87578807dbb19ddfbd79b7c1f9f0cae2ab487d3e2dfc38db383361f4940e6b94685caead32cfb18f644f9e20f9

Download Submit
/usr/bin/eisbkphyeb

Filesize
611KB

MD5
e5ec1d3d5b87121aada05966c0c75768

SHA1
bf94bbe5f56981ca594d2e0c4a6d70d7a6436414

SHA256
a9f9d5d4e3c27a33afc24d4c8f8f8cdc74b406ae72a0d801076ecc1498f2c8ee

SHA512
7f95af8330a9702ddae85309f8291cc02fd9e206596bb43cb58024e97622ba88c3cab7ae0caa4c31e6c8418eed322f70019b0b39a14f20bef5ab8a8263aa5413

Download Submit
/usr/bin/iecumbiyru

Filesize
611KB

MD5
01122960f652e5bac28a8af7c6d6679f

SHA1
9392e8aad9ee78326c503b090d99527086d87d2b

SHA256
ae6a9d7345cdbc68636a4565388e67f46ea02caf85e2bc6fbb77f69650df7a01

SHA512
131e550cf54e95b77f7a153e48dbd28bc75346b162359ec95f7654c1b1397c8a89cedc480f961add5b320e5c7955299500ccc6d94403fb95cd27b9f0b5479c16

Download Submit
/usr/bin/iecumbiyru

Filesize
611KB

MD5
f505c6c4547e56077b175c87c2fc0562

SHA1
06494fae39f268c54de804abacecf7ae51d61ba5

SHA256
3bd0528309e13df5c95dcb429ead0169ffe40f99f4f39587f14a29b5775ab9ac

SHA512
824f340b66462086f56c23ef7f595a2c49de0375684ed327cae25dd8848522741270a3db81b88907b3e9392d8037cc402b227dc2124916283d210ac27f6e735e

Download Submit
/usr/bin/maymydqdti

Filesize
611KB

MD5
3fabeef92ca9e0abb17b14390d609338

SHA1
2ca4c07f917be1df498a9fe8a8b630842b296502

SHA256
e3dc903b64e6e6fc783d356ce97063af8efb0b832a9bda0578ef8f96c0ece83d

SHA512
e05dc0a8b47409c34678954c35e0d6bab796b7eda3b199f75c89c1c4751d6957f7443a15d1f5285232862683b6aa95415a9163e65472e8864c9eacb5e1d4a591

Download Submit
/usr/bin/maymydqdti

Filesize
611KB

MD5
d8e6a16546936843f369f6a0b2a84f34

SHA1
1ee2c83a5dc2b72966cfa25689ea9da65e81b354

SHA256
e2ba4dbaff8e271663c4e18fe80da7cc53c45c5725e886a63c87e4a75a246073

SHA512
7fdfc2bfe7ddd20e7e1de60c46f2d0af46d7ac326c87ca968b7bb6e8564e1d07cf81df8ad73b1feb79a43e6e5d77e31473a76e13eee808dc439da4d19c07887c

Download Submit
/usr/bin/xviijsgpjr

Filesize
611KB

MD5
680b3d11b885d0e6f8a99ca3bd36e5e7

SHA1
c84de68b8314c0511111a36a853ff178c7735372

SHA256
6e5d258ea5b3688891cd036d19b652aa0ae7f10e97f583df671af66b85f28b56

SHA512
147e97f5f3cbd68c45a87aeb9aa4dd0a7bd5630d0ce57bfd90b555e0b0c16eeca2b7d47ae30c3b0b7f42209868e7d065c17c598d373c986cfc5eead056701eab

Download Submit
/usr/bin/xviijsgpjr

Filesize
611KB

MD5
70ff76179725c44e1a6eaacd08a2f257

SHA1
8201e51e9183e1b3350acfa6d7d6fbf0e89e8dc6

SHA256
c8c5ae7015728da031ea31fe59ea8e6d047686c331a914b9c5401ac0ed846dba

SHA512
33748384505fc51e489372bb78e9b86300cf39506076dc74045042f2d9d7bbfdb86d6331eeb43647915a3cdb142bcdd53266b8ea83752fe6092b9372d4edb91c

Download Submit